Where the regime sits today

Until the FSMA 2026 authorisation regime is live, UK cryptoasset activity is regulated through three principal mechanisms:

  • The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLRs) — under which the FCA maintains a cryptoasset register for firms providing exchange or custody services in or from the UK.
  • The financial-promotion regime under section 21 FSMA 2000 — which has applied to qualifying cryptoasset promotions since October 2023 and operates as a discrete compliance perimeter.
  • The DLT-related provisions of the Financial Services and Markets Act 2023 — which empowered HM Treasury to bring cryptoassets within the regulated-activities perimeter.

Together these mechanisms have produced a regime that is rigorous on AML registration and on financial promotion but does not authorise cryptoasset firms in the conventional FSMA sense. The FSMA 2026 regime closes that gap.

The FSMA 2000 (Cryptoassets) Regulations 2026

The Financial Services and Markets Act 2000 (Regulated Activities and Miscellaneous Provisions) (Cryptoassets) Order 2026 was made on 4 February 2026. It introduces four new regulated activities under FSMA 2000:

  1. Issuing a fiat-referenced stablecoin from the UK.
  2. Safeguarding cryptoassets on behalf of clients (custody).
  3. Arranging for the safeguarding of cryptoassets (referral and intermediation activity).
  4. Operating a qualifying cryptoasset trading platform.

Firms providing any of these activities by way of business in or from the UK will need full FCA authorisation under FSMA 2000. The MLR cryptoasset registration regime continues alongside (it covers a wider activity perimeter), but it does not satisfy the FSMA authorisation requirement for the activities listed above.

The dates that matter

MilestoneDateAction required
Authorisation gateway opens30 September 2026FCA begins accepting Phase 1 authorisation applications.
Application window closes28 February 2027Firms intending to be authorised at regime go-live must have submitted by this date.
Regime live25 October 2027From this date, performing the new regulated activities without authorisation is a criminal offence.

The window between gateway opening and regime go-live is twelve months. The FCA has been clear in its policy commentary that firms applying earlier in the window will be processed earlier — and that firms applying late may not be authorised by go-live, with the consequence that they would have to cease activity.

No automatic conversion from MLR registration

The most important practical point for UK-active firms is that there is no automatic conversion from MLR cryptoasset registration to FSMA 2026 authorisation. A firm holding an MLR registration today must submit a full FSMA authorisation application within the window, on the same standard as a firm that has never engaged with the FCA.

The MLR registration provides credibility with the supervisor — a clean MLR file, an evidenced AML programme, and a track record of regulator engagement all help — but it does not substitute for the FSMA application itself. Firms relying on "we're already MLR-registered" as the path to FSMA authorisation are misreading the policy.

What the FCA expects in an FSMA 2026 authorisation file

The FSMA 2026 authorisation file is structured against the FCA's standard authorisation framework, calibrated to the cryptoasset perimeter. The components are converging on a recognisable structure:

  • A Regulatory Business Plan defining the activity perimeter against the four new regulated activities and the specific cryptoassets in scope.
  • Three-year financial projections aligned to the FCA's prudential requirements (initial capital and own-funds requirements differ by activity).
  • Governance and three-lines-of-defence operating model, with named Senior Management Functions (SMFs) under the Senior Managers and Certification Regime (SMCR).
  • AML / CFT framework — building on the firm's existing MLR-grade framework, calibrated to the FSMA-perimeter risk profile.
  • Custody, segregation and key-management framework where safeguarding is in scope.
  • Trading-platform operational rulebook where qualifying cryptoasset trading platform is in scope.
  • Stablecoin issuance framework — reserve management, redemption mechanics, white paper equivalent — where stablecoin issuance is in scope.
  • Operational-resilience framework aligned to the FCA's operational-resilience expectations.
  • Conflicts management, market-abuse surveillance, and consumer-duty framework documentation.

The Senior Managers and Certification Regime

FSMA-authorised firms operate under SMCR. For cryptoasset firms, this means named Senior Management Functions accountable for specific areas of the firm's activity, with statements of responsibility filed with the FCA. The SMF stack for a typical cryptoasset firm includes:

  • SMF1 — Chief Executive.
  • SMF3 — Executive Director (where applicable).
  • SMF16 — Compliance Oversight.
  • SMF17 — Money Laundering Reporting Officer.
  • SMF24 — Chief Operations function (where the firm has scaled operations).
  • Plus the relevant prescribed responsibilities and (where applicable) the CASS / safeguarding responsibilities for safeguarding firms.

Each SMF holder is approved individually by the FCA and is personally accountable for their area. SMCR readiness is one of the most under-prepared areas in firms transitioning from MLR registration.

The financial-promotion regime — independent and continuing

The cryptoasset financial-promotion regime under section 21 FSMA continues to operate alongside the new authorisation regime. Authorised firms can communicate their own promotions; unauthorised firms must have their promotions approved by an FCA-authorised approver. Several FCA-authorised approvers exist in the market.

The financial-promotion perimeter remains a discrete compliance area — the new authorisation regime does not change the obligations on promotions content, risk warnings or the cooling-off mechanics for retail offers.

Three remediation items most UK-active firms still owe their boards

  1. An FSMA 2026 authorisation file readiness assessment — a structured gap analysis against the FCA's expected authorisation pack, with a defined remediation roadmap to the 30 September 2026 gateway.
  2. An SMCR readiness assessment — SMF role-mapping, statements of responsibility, prescribed responsibilities allocation, and individual fit-and-proper preparation.
  3. A regulatory engagement plan — early FCA dialogue ahead of gateway, with a defined cadence through the application window.

How CASA helps

  • FSMA 2026 readiness diagnostic — a fixed-fee assessment against the FCA's expected authorisation pack.
  • FSMA 2026 authorisation programme — end-to-end ownership of the application file, in partnership with named UK counsel.
  • SMCR build-out — SMF role design, statements of responsibility, and individual fit-and-proper preparation.

Active in the UK and need to plan for the FSMA 2026 gateway?

Brief our team

References: Financial Services and Markets Act 2000 (Regulated Activities and Miscellaneous Provisions) (Cryptoassets) Order 2026; Financial Services and Markets Act 2023; Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017; FCA policy statements on the cryptoasset regulatory regime (2024-2026).

This briefing is general commentary by CASA and does not constitute regulated legal, financial or investment advice. Firms should confirm specific positions with retained counsel and the relevant supervisory authority.